Design network security and Policy

1
Design network security and Policy
CPEN1331 Network Security
2
????? Security
3
Information Security Threats List

• Confidentiality, integrity, and availability
• are defined below in relation to information
  technology to provide a better understanding of
  how they relate to your information security
  goal.

4

• Confidentiality (???????????????? also known as
  secrecy),
• meaning that the computing system's assets can be
  read only by authorized parties.
• Integrity (??????????????????????????????),
• meaning that the assets can only be modified or
  deleted by authorized parties in authorized ways.
• Availability (????????????????????????),
• meaning that the assets are accessible to the
  authorized parties in a timely manner (as
  determined by the systems requirements). The
  failure to meet this goal is called a denial of
  service.

5
INFOSEC (Information Security Service)
Availability
InfoSec Triangle
Confidentiality
Integrity
6
Network Security DesignThe 12 Step Program

• Identify network assets
• Analyze security risks
• Analyze security requirements and tradeoffs
• Develop a security plan
• Define a security policy
• Develop procedures for applying security policies

7
The 12 Step Program (continued)

• Develop a technical implementation strategy
• Achieve buy-in from users, managers, and
  technical staff
• Train users, managers, and technical staff
• Implement the technical strategy and security
  procedures
• Test the security and update it if any problems
  are found
• Maintain security

8
Network Assets

• Hardware
• Software
• Applications
• Data
• Intellectual property
• Trade secrets
• Companys reputation

9
Asset (Examples)

• User
• General user
• IT operations
• Executive staff
• Operational Infrastructure
• Connectivity
• Facility
• Security systems
• Environmental controls
• Third-party services
• Documentation
• Data
• Paper
• Electronic files
• Electronic media

10

• IT Equipment
• Logical network
• File servers
• Database servers
• Web servers
• Storage server
• Application servers
• User systems
• Third-party equipment/services
• Perception
• Public image
• Customer image
• Vendor/partner image

11
INFOSEC risk Assessment and Management

• Rick management

12
Security Risks

• Hacked network devices
• Data can be intercepted, analyzed, altered, or
  deleted
• User passwords can be compromised
• Device configurations can be changed
• Reconnaissance attacks
• Denial-of-service attacks

13
Security Tradeoffs

• Tradeoffs must be made between security goals and
  other goals
• Affordability
• Usability
• Performance
• Availability
• Manageability
• ??????????????????????????? ltltlt

14
A Security Plan

• High-level document
• ??????????????????????????????????????????????
  ????????????? security requirements ???????????
• High-level document ?????????????????????????
  ??????????????? ?????? CIO
• ????? ????, ??, ??? ??????????????????????????????
  ?? ??????? ?????????????????????????????? Policy
  ????????????

15
A Security Policy

• Per RFC 2196, The Site Security Handbook,
  (1997) a security policy is a
• Formal statement of the rules by which people
  who are given access to an organizations
  technology and information assets must abide.
• The policy should address
• Access, accountability, authentication, privacy,
  and computer technology purchasing guidelines

16
Security Mechanisms

• Physical security
• Authentication
• Authorization
• Accounting (Auditing)
• Data encryption
• Packet filters
• Firewalls
• Intrusion Detection Systems (IDSs)/ Intrusion
  Prevention System (IPSs)
• Network Access Control (NAC)

17
Security Layering
18
Modularizing Security Design

• Secure all components of a modular design
• Internet connections
• Public servers and e-commerce servers
• Remote access networks and VPNs
• Network services and network management
• Server farms
• User services
• Wireless networks

19
Securing Internet Connections

• Physical security
• Firewalls and packet filters
• Audit logs, authentication, authorization
• Well-defined exit and entry points
• Routing protocols that support authentication

20
Securing Public Servers

• Place servers in a DMZ that is protected via
  firewalls
• Run a firewall on the server itself
• Enable DoS protection
• Limit the number of connections per timeframe
• Use reliable operating systems with the latest
  security patches
• Maintain modularity
• Front-end Web server doesnt also run other
  services

21
Security Topologies
Internet
Firewall
DMZ
Enterprise Network
Web, File, DNS, Mail Servers
22
Securing Remote-Access and Virtual Private
Networks

• Physical security
• Firewalls
• Authentication, authorization, and auditing
• Encryption
• One-time passwords
• Security protocols
• CHAP
• RADIUS
• IPSec
• NAC

23
Securing Network Services

• Treat each network device (routers, switches, and
  so on) as a high-value host and harden it against
  possible intrusions
• Require login IDs and passwords for accessing
  devices
• Require extra authorization for risky
  configuration commands
• Use SSH rather than Telnet (Must)
• Change the welcome banner to be less welcoming

24
Securing Server Farms

• Deploy network and host IDSs to monitor server
  subnets and individual servers
• Configure filters that limit connectivity from
  the server in case the server is compromised
• Fix known security bugs in server operating
  systems
• Require authentication and authorization for
  server access and management
• Limit root password to a few people (Use sudo if
  possible)
• Avoid guest accounts

25
Securing User Services

• Specify which applications are allowed to run on
  networked PCs in the security policy
• Require personal firewalls and antivirus software
  on networked PCs
• Implement written procedures that specify how the
  software is installed and kept current
• Encourage users to log out when leaving their
  desks
• Consider using 802.1X port-based security on
  switches

26
Securing Wireless Networks

• Place wireless LANs (WLANs) in their own subnet
  or VLAN
• Simplifies addressing and makes it easier to
  configure packet filters
• Require all wireless (and wired) laptops to run
  personal firewall and antivirus software
• Disable beacons that broadcast the SSID, and
  require MAC address authentication
• Except in cases where the WLAN is used by visitors

27
WLAN Security Options

• Wired Equivalent Privacy (WEP) (useless)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA)
• IEEE 802.1X Extensible Authentication Protocol
  (EAP)
• Lightweight EAP or LEAP (Cisco)
• Protected EAP (PEAP)
• Virtual Private Networks (VPNs)
• Any other acronyms we can think of? -)

28
VPN Software on Wireless Clients

• Safest way to do wireless networking for
  corporations
• Wireless client requires VPN software
• Connects to VPN concentrator at HQ
• Creates a tunnel for sending all traffic
• VPN security provides
• User authentication
• Strong encryption of data
• Data integrity

29
Summary
30
Review Questions

• How does a security plan differ from a security
  policy?
• Why is it important to achieve buy-in from users,
  managers, and technical staff for the security
  policy?
• What are some methods for keeping hackers from
  viewing and changing router and switch
  configuration information?
• How can a network manager secure a wireless
  network?